Top 10 Windows 10 Features #10: Device Guard

This year, perhaps this time actually for the last time (for real), I present my selections for the 10 features that will make or break the success of the next version of Microsoft Windows, specifically for the enterprise.

It’s where I make a critical assessment of the features that distinguish the next version of Windows from the previous versions, and point out the ones that are important enough to stake the future of the product line on.

If Windows 10 succeeds in business, these will be the reasons why. And if it fails, these will still be the reasons. I will begin, as always, backwards.

In fact, it creates a potential fork in the road. You see, Windows 10 for volume licensees will remain a licensed product.

Customers subscribing to Microsoft’s Software Assurance program will be upgraded in some other way, and with a little more than a month to go before general availability, the only word the company has given as to how this will happen is in the form of small print at the bottom of this FAQ page: “Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 enterprise offerings outside of this offer.”

So the question is actually far from moot.

Microsoft was willing to eat a chunk of revenue it would have received from consumers. But now it has to convince enterprises that the new operating system is worthy of some degree of commercial investment, even if it ends up being just an extension of the existing Software Assurance program.

Even as close as we are to July 29, we can’t state for certain that the content of what volume licensees receive through Windows Update won’t be somewhat different than Windows 10 Pro, the commercial package to be offered to business customers as an upgrade from Windows 7 Professional and Windows 8.1 Pro.

However, testers of the Preview build of Windows 10 Pro have used features that are significant enough to warrant consideration by businesses, even if they end up paying for the upgrade.

In this first part of ten, I’ll begin with the culmination of a feature that Microsoft had originally envisioned for Windows Vista: one that restricts untrusted code to a secure sandbox.

A Rational Fear of the Unknown

The perennial problem with operating systems is that they are capable of executing binary code whose source is indeterminate. Forensic archaeologists a thousand years hence may yet conclude this was the intended purpose of Windows XP.

For well over a decade, Microsoft had worked with Intel, the Trusted Computing Group, and device manufacturers to devise a system whereby binary code could only be executed when it has been digitally signed by a trusted source.

The problem with that system, infosec professionals pointed out, is that the service checking the digital signatures could always be compromised.

“Always” assumed one big thing: that the service was a component of the operating system being compromised. A set of technologies, some existing and some new, which Windows 10 will call Device Guard destroys that assumption, in a clever and yet surprisingly obvious way.

Device Guard will run as a virtual machine, under the direction of the latest Hyper-V hypervisor and the control of Intel’s VT virtualization functions on Core and Xeon processors.

“What Device Guard allows us to do is set policies about what software is allowed to run on a particular device,” explained Microsoft Corporate Vice President Brad Anderson during last month’s Ignite 2015 keynote address. “For example, you may say that only applications that come from the Windows Store are authorized to run on my device.”

On the surface, that sounds self-serving for Microsoft, until you realize the expanded purpose of the “Store” in Windows 10. In Windows 8 and 8.1, “Store” was essentially the portal for downloading the WinRT class of “Metro” or “Modern” or “Insert pointless name here” applications that few people actually used.

In Win10, Store expands to become an installation framework for every type of software that Windows runs, including Win32 API applications and .NET Framework applications. And also including software from outside of Microsoft.

Store is now an installation portal, and enterprises may customize it, for example, to include only selected applications that admins distribute from on-premise. So Anderson is not saying here that Device Guard will restrict Windows 10 to only running the Solitaire app and the Weather app.

No, No Nagware

Microsoft first demonstrated something with essentially this very same goal back in 2009. Admins are very familiar with AppLocker now. Conference speaker and technology author Mark Minasi described Device Guard as like AppLocker, “but it works.”

As Minasi explained to Windows admins, a list of approved apps is presented to Device Guard as an XML file. Device Guard converts this file into binary, in order to imprint it into the image of the virtual machine running on Hyper-V.

“You can thus say, ‘Trust all software signed by Microsoft,’ or, ‘Trust all software signed by Adobe,’” explained Minasi.

Vista had a similar mode in its original incarnation of User Account Control, which enabled administrators to only allow signed code to be executable on a system.

That might have made sense, Minasi noted, if developers signed their code in 2006. It might even have worked, had users and even outside programs not adopted the annoying habit of turning UAC off.

With Device Guard in place, explains Minasi, “if someone wants to put malware on your system, they can do it, but they’ve got to sign the app.”

Although Vista was the least liked version of Windows prior to Windows 8, the few enterprises that adopted it right away saw plummeting rates of malware infestations, and those rates stayed low under Windows 7.

Device Guard creates a new and tighter form of application registry that’s based around the Windows 10 Store as the distribution mechanism. Its existence compels legitimate applications to join this registry. Vista might have had a similar opportunity, had its UAC feature not gotten in users’ way.

The success of Device Guard as an enterprise feature rests on its ability to do its job without users knowing it.

SMG/CMSWire is a leading, native digital publication produced by Simpler Media Group, Inc. We provide articles, research and events for sophisticated professionals driving digital customer experience strategy, evolving the digital workplace and creating intelligent information management practices. The CMSWire team produces 400+ authoritative articles per quarter for our 2.7 million community members. Join us as a subscriber.